How can I tell if a password has good enough entropy to prevent brute-forcing on a realistic timescale? For example, if I have the following password, how can I determine if it is strong enough to prevent brute forcing?

Does the attacker know the general structure of the password, e.g. only ASCII characters, digits only at the end, all lowercase letters, and almost alternating letters and special characters?
–
Daniel Beck♦Apr 9 '11 at 8:42

not all lowercase ;) and no the attacker would not now the structure, it is based on a simple easy to remember sentence with some basic changes that are consistent.
–
abdadooo22Apr 9 '11 at 9:16

4 Answers
4

From the Dropbox tech blog, this is the best article that I have seen recently, and even shows at an implementation on the theories discussed within. Please feel free to let me know if this is helpful in any way.

Another thing to keep in mind about security, is the idea expressed in this XKCD comic.

Welcome to Super User! Here's a tip for ya: I would add a little more detail from the site, and impart knowledge to the OP. It's ok to hyperlink to a site, it's far better to hyperlink and then summarize.
–
KronoSJun 20 '12 at 19:21

1

Excellent link. Lots of very useful and detailed analysis. I was going to pull the most useful stuff into an edit of your answer, but there is just too much good stuff.
–
killermistJun 20 '12 at 19:36

I would have added quite a few more links, but this was my first post and I was limited. Thanks!
–
dmcgill50Oct 1 '12 at 17:38

I saw both sites give misleading sense of security. I picked up a common dictionary word, repeated it again and again and "etropy" was increasing more than linearly, which is an absurd.
–
user39559Apr 12 '11 at 12:33

1

Oh, I had missed the one in the middle. I like it much better, it's very good and at least they have a decent disclaimer.
–
user39559Apr 13 '11 at 20:23

+1 I learned a new word today. But I think I read the V word with an R somewhere ;-)
–
EllesaJun 20 '12 at 19:26

Note also a more recent xkcd: xkcd.com/936 If you're not constrained to 8 characters, there's no real need to subject yourself to trying to remember (or even retype) line noise.
–
Dave SherohmanAug 24 '11 at 9:40